Troj/FakeAV-GIH

Category: Viruses and Spyware Protection available since:23 Jan 2013 23:52:41 (GMT)
Type: Trojan Last Updated:23 Jan 2013 23:52:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/FakeAV-GIH include:

Example 1

File Information

Size
846K
SHA-1
19ba84fdcd74c050c5fe6d1fc09e413d9fb335de
MD5
6dbc5d73198ec1a71341246082b4a85d
CRC-32
c7e1544c
File type
Windows executable
First seen
2007-07-25

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\dmview.exe
  • c:\Documents and Settings\test user\Templates\explorer.exe
Dropped Files
  • c:\Documents and Settings\test user\Templates\spsreng.exe
    Size
    8.0K
    SHA-1
    161ce58c5298a4eef28437ce10dedeb3543d52fa
    MD5
    07f9bf43264060abcd3bb1686b78b66d
    CRC-32
    8fd4894e
    File type
    Windows executable
    First seen
    2012-10-21
  • C:\WINDOWS\system32\MSDCSC\msdcsc.exe
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Activex Application Updater
    c:\Documents and Settings\test user\Templates\spsreng.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\MSDCSC\msdcsc.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\dmview.exe
  • c:\Documents and Settings\test user\templates\explorer.exe
  • c:\Documents and Settings\test user\templates\spsreng.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\msdcsc\msdcsc.exe
DNS Requests
  • mediaupdate.sytes.net

Example 2

File Information

Size
624K
SHA-1
b594f525ee9438c9df45aa2263a33584aa1c54e9
MD5
55bf858dcf86c4a5c3b8bfce1ac9d89d
CRC-32
65b3b4c8
File type
Windows executable
First seen
2012-10-30

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    iTunes
    c:\Documents and Settings\test user\Application Data\persbs.exe
  • HKCU\Software\Microsoft\Active Setup\Installed Components\{078FF5B2-49D8-6F2F-D2FF-C47DBCFA6B27}
    StubPath
    c:\Documents and Settings\test user\Application Data\persbs.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\\test_item.exe
    c:\\test_item.exe:*:Enabled:Windows Messanger
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    iTunes
    c:\Documents and Settings\test user\Application Data\persbs.exe
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{078FF5B2-49D8-6F2F-D2FF-C47DBCFA6B27}
    StubPath
    c:\Documents and Settings\test user\Application Data\persbs.exe
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    Z76LBHRDEA
    January 23, 2013
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    Z76LBHRDEA
    Pers
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    iTunes
    c:\Documents and Settings\test user\Application Data\persbs.exe
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1zsecsqasd.no-ip.biz
  • 2zsecsqasd.no-ip.biz
  • zsecsqasd.no-ip.biz

Example 3

File Information

Size
846K
SHA-1
e2872813c1f06fb45b4043c8dc14d2b257edb058
MD5
47c76c750b656d4a21d6d5cd38cb9c25
CRC-32
3ac53ccb
File type
Windows executable
First seen
2012-12-15

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\dmview.exe
  • c:\Documents and Settings\test user\Templates\explorer.exe
Dropped Files
  • C:\WINDOWS\system32\MSDCSC\msdcsc.exe
  • c:\Documents and Settings\test user\Templates\spsreng.exe
    Size
    8.0K
    SHA-1
    161ce58c5298a4eef28437ce10dedeb3543d52fa
    MD5
    07f9bf43264060abcd3bb1686b78b66d
    CRC-32
    8fd4894e
    File type
    Windows executable
    First seen
    2012-10-21
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Activex Application Updater
    c:\Documents and Settings\test user\Templates\spsreng.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\MSDCSC\msdcsc.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\dmview.exe
  • c:\Documents and Settings\test user\templates\explorer.exe
  • c:\Documents and Settings\test user\templates\spsreng.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\msdcsc\msdcsc.exe
DNS Requests
  • mediaupdate.sytes.net

download Try Sophos products for free
Download now